The healthcare industry has become an increasingly attractive target for cyber criminals. The richness of the data combined with the increasing interconnectedness of healthcare technologies makes the industry ripe for cyberattacks.
Data assets, including electronic protected health information (ePHI), are a sought-after commodity. “We have so much data that can be exploited for criminal uses,” said Lee Kim, director of Privacy and Security for HIMSS North America. “The data is very, very valuable on the cyber black market.” In fact, a recent Rand report on Markets for Cybercrime Tools and Stolen Data concluded that “the [cybercrime] black market can be more profitable than the illegal drug trade.”1
The healthcare industry has experienced frequent and aggressive cyberattacks, and as a result, the number and volume of data breaches have increased. By Federal law, the U.S. Department of Health and Human Services tracks breaches of unsecured PHI affecting 500 or more individuals. The number of reported breaches increased from 197 incidents in 2010 to 278 incidents in 2014.2
The costs of cyberattacks are manifold. Data breaches negatively impact an organization’s reputation, brand and the trust of its customers. Quantifiable costs include notifying affected individuals, follow-up credit monitoring, federal and state penalties and fees, the costs of repairing and mitigating IT infrastructure damage caused by the attacks and the potential for class action lawsuits.3,4 It’s no surprise that in a recent HIMSS Cybersecurity Survey of 297 healthcare executives, 87 percent of respondents indicated that information security has increased as a business priority over the past year.5
Why web security matters
Before the current emphasis on data accessibility and exchange, electronic healthcare information was often contained in an on-premise data center, tucked safely behind an appliance-based firewall. However, the new connected nature of the healthcare industry has weakened the effectiveness of traditional defense measures.
Federal incentives accelerated the adoption of digitized health records and the electronic exchange of information between healthcare providers and related entities. At the same time, technological innovations in providing patient care and collecting patient data have resulted in a proliferation of devices and applications that use the web to deliver communications and data between patients and providers.
Federal incentives accelerated the adoption of digitized health records and the electronic exchange of information between healthcare providers and related entities. At the same time, technological innovations in providing patient care and collecting patient data have resulted in a proliferation of devices and applications that use the web to deliver communications and data between patients and providers.
The evolving cyberthreat landscape
Cybercriminals use multiple tools and strategies, and their methods of attack are constantly evolving. Web-based attack methods have become more pervasive as the healthcare industry has become more connected. Two types of attacks that have become increasingly common are Distributed Denial of Service (DDoS) attacks and web application attacks.
Distributed Denial of Service (DDoS) Attacks
In early 2014, the FBI sent out a private industry notification (PIN) to healthcare providers alerting organizations to increases in cyber intrusions and attacks.6 According to media reports, less than three weeks later, a large hospital became the target of repeated DDoS attacks that threatened to shut down the hospital network.
Sometimes DDoS attacks are carried out in tandem with web application attacks. A DDoS attack can be deployed as a diversion to distract an organization from a simultaneous web application attack designed to exfiltrate protected data. In other cases, web application attacks occur independently of DDoS attacks.
DDoS attacks have been increasing in frequency and size across all industry sectors according to Akamai’s State of the Internet/Security report for Q2 2015.7 “It has become much easier to launch DDoS attacks,” said Renny Shen, senior product manager for Akamai. “There are a lot of DDoS attack tools on the web that anybody can download or rent and point at any website to take them down.”
Not only are DDoS attack tools more available, they are also becoming more powerful. “We are seeing enormous increases in the power of these tools,” Shen said. “In just one year, we saw attacks attributed to these types of tools increase five-fold, from 20 Gigabits per second (Gbps) in Q1 2014 to 107 Gbps in 2015.”
Akamai reports that in Q2 2015, the largest DDoS “mega attack” against its customers registered at nearly 250 Gbps. The size of these attacks has implications for healthcare information security programs.
“For smaller DDoS attacks, organizations can think about protecting against attacks from inside their datacenter with on-premises hardware,” Shen noted. “But for anything larger than a few Gbps, they really have to start thinking about cloud-based security solutions that can quickly scale up to defend against an attack of that size.”
Web Application Attacks
Web application attacks exploit vulnerabilities in applications such as flawed coding or vulnerabilities in input and output functions in web-based or web-facing applications. Cross-site scripting (XSS) and SQL injection are common web application attack methods.
Web application firewalls (WAF) are the traditional line of defense against web application attacks. A WAF continuously inspects web traffic between users and applications to identify attempts to exploit vulnerabilities in the applications. WAFs use rules engines to compare every web request against a list of pre-configured rules, which are typically tuned for the applications being protected. Because of this design, WAFs require significant management overhead in order to maximize the amount of protection afforded as well as maintain it over time.
“Web application firewalls are very complex solutions, and a lot of organizations underestimate the time and resources required to maintain them,” said Shen. “They require constant care and feeding to remain effective.”
Often an organization will install an on-premise WAF, configure it once and then ignore it. That won’t work, according to Shen. “Even if no new attack vectors have been introduced, your applications change,” he said. “You need to be aware of how application updates affect your WAF configuration and adjust accordingly.”
HIMSS Analytics recently conducted a survey to determine market activity around web-based application security. The survey revealed that while 61 percent of healthcare organizations use an on-premise WAF, only 21 percent have deployed a cloud-based WAF.8 The results are interesting because the difference matters: Cloud-based WAFs offer distinct advantages over hardware-based WAFs.
One advantage is that cloud-based WAFs are often packaged with a managed-services component. That is, the vendor partners with the client to ensure WAFs remain up-to-date with respect to emerging attack vectors and web application changes.
Cloud-based WAFs also offer the ability to scale as needed, without creating performance issues. “With appliance-based WAFs, you can have a situation where you create a conflict between the performance people, who run the applications, and the security people, who secure the data center,” said Shen. “Now you have conflicting motivations, and you may or may not pull out your WAF solution when traffic gets too high and you see an impact on performance.”
Cloud-based WAFs eliminate the conflict between application performance and WAF functionality. The cloudbased WAF still sits between the web and the organization’s applications, but the functionality resides in the cloud, rather than drawing on internal network resources.
“Cloud-based WAFs also have the advantage of intercepting malicious cyber activity at the edge of the internet,” said Shen. “Because the WAF resides in the cloud, discovered attack traffic can be deflected or dropped before it even touches the healthcare provider’s network or applications.”
“The bottom line is that the more difficult we make our systems to breach, the less likely it is that we will be a target,” Kim concluded. “The key is continued investment in the right people, the right organizational policies and the right technologies.”
